GCP SCIM Connector Features
The GCP Connector by EmpowerID enables seamless synchronization of Identity data between EmpowerID and Google Cloud Platform (GCP). The connector provides the following capabilities at a high level:
Full and Incremental Inventory Support for
User Accounts, Service Accounts, and Guest Accounts
Groups
Group memberships for all account types
Group-to-Group memberships
Create, update, disable, and delete user accounts.
Enable disable and delete service accounts.
Create, update, and delete groups.
Provisioning accounts through EmpowerID Resource Entitlements.
Resetting passwords for user accounts.
Handling group membership additions and removals for all account types.
Assigning group memberships to accounts with management role (RBAC) assignment.
Supported Operations by GCP Microservice
The SCIM microservice for GCP (Google Cloud Platform) exposes several endpoints designed for identity management and data synchronization between GCP and the Connector. Below are the specific operations and their corresponding endpoints:
Name | Method | URL | Description |
---|---|---|---|
Query Projects | GET |
| Queries projects. |
Query Users | Get |
| Queries Users |
Query Predefined IAM Roles | GET |
| Queries predefined IAM roles. |
Query Project Custom IAM Roles | GET |
| Queries custom IAM roles for a specific project. |
Query Organization Custom IAM Roles | GET |
| Queries custom IAM roles for an organization. |
Query Resources | GET |
| Queries resources associated with an organization. |
Query IAM Policies | GET |
| Queries IAM policies. |
Query Organizations | GET |
| Queries all organizations. |
Query Directory Roles | GET |
| Queries directory roles. |
Query Privileges | GET |
| Queries privileges. |
Query Organizational Units | GET |
| Queries organizational units. |
Query Role Assignments | GET |
| Queries role assignments. |
Query Role Assignments Delta | GET |
| Queries role assignments that have changed since the specified start time. |
Query Service Accounts | GET |
| Retrieves service accounts associated with an organization. |
Get Service Account by ID | GET |
| Retrieves a specific service account by ID. |
Create Service Account | POST |
| Creates a new service account. |
Update Service Account | PATCH |
| Updates an existing service account. |
Delete Service Account | DELETE |
| Deletes a service account. |
Disable Service Account | GET |
| Disables a service account. |
Enable Service Account | GET |
| Enables a service account. |
Query Groups | GET |
| Queries all groups. |
Create Group | POST |
| Creates a new group. |
Get Group by ID | GET |
| Retrieves a specific group by ID. |
Update Group (patch) | POST |
| Updates an existing group. |
Delete Group | DELETE |
| Deletes a group. |
Query Groups Delta | GET |
| Queries groups that have been created or updated since the specified start time. |
Query Group Members | GET |
| Queries members of a specific group. |
Delete Group Member | DELETE |
| Deletes a specific member from a group. |
Create Group Member | POST |
| Creates a new member in a group. |
Update Group Member | POST |
| Updates a specific member's details in a group. |
Query Group Members Delta | GET |
| Queries members of a group that have been created or updated since the specified start time. |
Inventory
The GCP Connector provides two standard inventory processes in every EmpowerID connector:
Incremental Inventory: This process monitors the LastTimeStamp of the previous inventory run and imports only user and group identity data changes since then.
Full Inventory: This process conducts a complete inventory of all GCP users and groups each time the inventory job is executed.
Attribute Mappings
The GCP Connector by EmpowerID synchronizes Google Cloud Platform (GCP) and EmpowerID by mapping relevant attributes from GCP to EmpowerID object attributes. Below are the detailed mappings for user attributes, group attributes, and service account attributes between GCP and EmpowerID.
User Attributes
During the GCP and EmpowerID inventory process, user accounts from GCP are synced with EmpowerID. The following table outlines how GCP user attributes map to EmpowerID account attributes:
SCIM Microservice Attribute | EmpowerID Account Attribute | Description |
---|---|---|
name['givenName'] | FirstName | Maps to the user's first name. |
name['familyName'] | LastName | Maps to the user's last name. |
['display name] | DisplayName | The user's full name formed by concatenating the first and last name values. |
name['formatted'] | CustomAttribute17 | May contain the user's display name (optional). |
active | Active | Indicates if the user account is active in GCP, meaning it is not suspended, archived, or deleted. |
country | Country | Maps to the user's country. This attribute supports only one-way sync from GCP to EID or supports Account Store Changes Only for EmpowerID attribute flow. |
photos[0]['value'] | PhotoUrl | The URL of the user's profile photo. The URL might be temporary or private. |
meta['created'] | CreatedTimeStamp | User's G Suite account creation time. |
preferredLanguage | PreferredLanguage | Maps to the user’s language if a user profile has a single language. |
agreedToTerms | CustomAttribute2 | This property is true if the user has completed an initial login and accepted the Terms of Service agreement. |
changePasswordAtNextLogin | MustChangePasswordOnNextLogin | Indicates if the user is forced to change their password at next login. This setting doesn't apply when the user signs in via a third-party identity provider. |
includeInGlobalAddressList | CustomAttribute3 | Indicates if the user's profile is visible in the Google Workspace global address list when the contact sharing feature is enabled for the domain. |
ipWhitelisted | CustomAttribute4 | If true, the user's IP address is subject to a deprecated IP address allowlist configuration. |
isAdmin | CustomAttribute5 | Indicates a user with super admininistrator privileges. |
isDelegatedAdmin | CustomAttribute6 | Indicates if the user is a delegated administrator. Delegated administrators are supported by the API but cannot create or undelete users, or make users administrators. |
isEnforcedIn2Sv | CustomAttribute7 | Indicates whether two-step verification is enforced for the user in GCP. |
isEnrolledIn2Sv | CustomAttribute8 | Indicates whether the user is enrolled in two-step verification in GCP. |
isMailboxSetup | CustomAttribute9 | Indicates if the user's Google mailbox is created. This property is only applicable if the user has been assigned a Gmail license. |
lastLoginTime | LastLogin | Timestamp of the user's last login in GCP. |
orgUnitPath | OrgUnit | The full path of the parent organization associated with the user. If the parent organization is the top-level, it is represented as a forward slash (/). |
primaryEmail | Maps to the user's primary email address in GCP. | |
recoveryEmail | CustomAttribute10 | Contain a recovery email address for the user in GCP. |
recoveryPhone | PhoneNumber | Recovery phone of the user. The phone number must be in the E.164 format, starting with the plus sign (+). Example: +16506661212. |
['urn:ietf:params:scim:schemas:extension:AdAdditionalData:2.0:User']['suspensionReason'] | CustomAttribute11 | Has the reason a user account is suspended either by the administrator or by Google at the time of suspension. The property is returned only if the suspended property is true. |
['urn:ietf:params:scim:schemas:extension:AdAdditionalData:2.0:User']['archived'] | CustomAttribute12 | Maps to attribute indicating whether the user account is archived in SCIM schema. |
['urn:ietf:params:scim:schemas:extension:AdAdditionalData:2.0:User']['removed'] | CustomAttribute13 | Attribute indicating whether the user account is removed. |
['urn:ietf:params:scim:schemas:extension:AdAdditionalData:2.0:User']['removedOn'] | CustomAttribute14 | Attribute indicating the date and time when the user account was removed. |
| AccountUsageType | There are three possible values - Personal (User Accounts), Guest, and Service. |
['urn:ietf:params:scim:schemas:extension:AdAdditionalData:2.0:User']['plain'].firstHomePhone | HomePhone | First home phone number mapped of possible several. |
['urn:ietf:params:scim:schemas:extension:AdAdditionalData:2.0:User']['plain'].firstMobilePhone | MobilePhone | Maps to the user's mobile phone number in GCP. |
['urn:ietf:params:scim:schemas:extension:AdAdditionalData:2.0:User']['plain'].firstBusinessPhone | PhonesOther | Attribute mapping to the first business phone number of the user. |
['urn:ietf:params:scim:schemas:extension:AdAdditionalData:2.0:User']['plain'].firstOrgDepartment | Department | Attribute representing the first organizational department of the user. |
['urn:ietf:params:scim:schemas:extension:AdAdditionalData:2.0:User']['plain'].firstOrgTitle | Title | Attribute representing the first organizational title of the user. |
['urn:ietf:params:scim:schemas:extension:AdAdditionalData:2.0:User']['suspended'] | Suspended | Attribute indicating whether the user account is suspended. |
Group Attribute Mappings
During the GCP and EmpowerID integration process, group information from GCP is synced with EmpowerID. This table outlines how corresponding GCP group attributes map to the appropriate EmpowerID account attributes.
GCP Attribute | EmpowerID Group Attribute | Description |
---|---|---|
['description'] | Description | Mapped to an extended description to help users determine the purpose of a group. For example, you can include information about who should join the group, the types of messages to send to the group, links to FAQs about the group, or related groups. |
['adminCreated'] | CustomAttribute16 | Indicates whether the group was created by an administrator. |
['email'] | CustomAttribute15 | Mapping of the email address associated with the group. |
['displayName'] | Display Name | Maps to the display name of the group. |
Service Account Attribute Mappings
The table outlines how service accounts from GCP map to corresponding attributes in EmpowerID.
GCP Attribute | EmpowerID Account Attribute | Description |
---|---|---|
displayName | DisplayName | Name of the service account as it appears in GCP. |
['urn:ietf:params:scim:schemas:extension:AdAdditionalData:2.0:Resource']['versionedResources'][?(@.version=='v1')].resource.email | CustomAttribute18 | Maps to the Service Account Email. |
description | Description | Service Account Description. |